Encrypting File System

(EFS)
Implementing Encrypting File System

Introduction to EFS
Implementing EFS in a Stand-Alone Microsoft
Windows Environment
Planning and Implementing EFS in a Domain Environment
Implementing EFS File Sharing
Introduction to EFS

What Is EFS?
How EFS Works
EFS Limitations
What Is EFS?

EFS:
Provides encryption for files on NTFS volumes
Ensures that sensitive or confidential data is more secure
Uses a unique public/private key pair system

Windows XP and Windows Server 2003 EFS features

Additional users can be authorized
Offline files can be encrypted
Can use the 3DES encryption algorithm
Data recovery agents are recommended, not required
How EFS Works

When a file is encrypted for the first time, EFS looks for
1 an EFS certificate in the local certificate store

2 EFS generates a random number (FEK) for the file to

be encrypted

3 EFS takes the public key of the user’s certificate and

encrypts the FEK

EFS stores the FEK in the DDF field in the header of

4 the file that is being encrypted
EFS Limitations

Potential loss of data if the private key is lost

A dependency on the user passwords
File sharing is more difficult because user public keys
must be accessible during encryption
Does not secure network traffic
Implementing EFS in a Stand-Alone Microsoft Windows
Environment

Data Encryption Options

What Is a Data Recovery Agent?
Consequences of Resetting Local Passwords
How To Disable EFS on a Stand-Alone Computer
Practice: Implementing EFS on a Stand-Alone Windows
Environment
Data Encryption Options

To encrypt data, use either:

Windows Explorer
Cipher command-line tool
Both tools can be used to:
Configure file and folder encryption and decryption
Encrypt just the folder, or the folder, subfolder
and files
What Is a Data Recovery Agent?

A data recovery agent is a user account that can decrypt

files that have been encrypted by other users
Windows Server 2003 and Windows XP do not automatically
create a DRA

To implement a DRA on a stand-alone computer:

1 Use the cipher tool to create a DRA certificate and key pair

2 Add the user account as a DRA

3 To decrypt files, add the DRA certificate to the local

certificate store
How to implement a DRA on a stand-alone computer

1. Log on to a Microsoft Windows XP-based computer or to a Microsoft

Windows Server 2003-based computer by using the user account
under which you want the Encrypting File System (EFS) recovery
agent to run
2. Create a new self-signed file recovery certificate and private key
1. Click Start, click Run, type cmd
2. Type cipher /r:file_name, and then press ENTER
3. When you are prompted for a password to protect the .pfx file,
type a password that you will easily remember
4. Make sure that the new .cer and .pfx files are created in the same
folder
3. Add the user account as a DRA
1. Click Start, click Run, type gpedit.msc
2. Expand Computer Configuration, expand Security Settings,
expand Public Key Policies, right click Encrypting File System,
and then click Add Data Recovery Agent
3. Browse to .cer file that you’ve created
Consequences of Resetting Local Passwords

If a local password is reset, the user will be not be able to

decrypt any files
Users who implement EFS on stand-alone computers should
create password-reset disks

To recover data after a password reset:

Logon as the user and reset the password back to the
original password
Use the password-reset disk
Import an archived copy of the user’s private key used
for EFS
How to create a password reset disk

1. Click Start, and then click Control Panel.

2. In Control Panel, click User Accounts.
3. In the User Accounts pane, click the account that you want to work
with.
4. Under Related Tasks, click Prevent a forgotten password to start the
Forgotten Password Wizard, and then click Next.
5. Insert a blank, formatted disk into drive A, and then click Next.
6. In the Current user account password box, type the password for the
user account that you chose in step 3, and then click Next.
Note: If the user account does not have a password, do not type a
password in the Current user account password box.
The Forgotten Password Wizard creates the disk.
7. When the Progress bar reaches 100% complete, click Next, and then
click Finish.
8. Remove and then label the password reset disk. Store the disk in a
safe place.
How to Disable EFS on a Stand-Alone Computer

By default, all users can use EFS on stand-alone computers

To decrease the risk of data that cannot be recovered, you
can disable EFS on stand-alone computers

To disable EFS:
Modify the local security policy

Modify the registry

How to disable EFS by using Local Security Policy

Open the GPO that you want to edit. You can use Active
Directory Users and Computers or the GPMC to edit the
GPO.
In the Group Policy Object Editor, expand Computer
Configuration, expand Windows Settings, expand Security
Settings, expand Public Key Policies, and then click
Encrypting File System.
Right-click Encrypting File System, and then click
Properties.
Uncheck Allow users to encrypt files using Encrypting File
System (EFS) check box, and then click OK.
How to disable EFS by modifying Registry

Open the Registry Editor

Locate the
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionEFS registry subkey
Use the Edit menu to click New, and then DWORD Value
Insert EfsConfiguration for value name, and 1 for value
data. These values disable EFS
Restart the computer
Planning and Implementing EFS in a Domain
Environment

Benefits of Deploying EFS in a Domain Environment

EFS and Certificate Services in a Domain Environment
Data Recovery Agents in a Domain Environment
Encryption Algorithm Options
Benefits of Deploying EFS in a Domain Environment

With an enterprise CA, EFS certificates are automatically

distributed to users when they encrypt a file
The user certificate is stored in the local certificate store and
in Active Directory

Benefits of EFS in a domain include:

Centralized DRA management
Centralized certificate management
Centralized EFS policy configuration
Simplified file sharing
EFS and Certificate Services in a Domain Environment

The integration of Certificate Services and EFS enables:

Scalable and flexible centralized certificate
management
Multiple options for distributing certificates to user
Reduced administrative effort by using certificate auto-
enrollment
The migration of self-signed certificates to
CA certificates
Data Recovery Agents in a Domain Environment

The Administrator that installs the first domain controller is

the DRA for the domain
Create DRA policies to meet your organization’s needs:
Add or delete recovery agents
Delete the recovery policy
Block the use of EFS
Add additional recovery agents at the domain or OU level
The EFS Recovery Agent certificate must be installed on a
computer to decrypt data
Encryption Algorithm Options

Operating System EFS Algorithm Key Strength

Windows Server 2003 AES 256 bit

Windows XP DESX 128 bit
Windows XP SP1 or later AES 256 bit
Windows 2000 DES 56 bit
Windows 2000 SP2 or later or with
DESX 128 bit
High Encryption Pack
Implementing EFS File Sharing

What Is EFS File Sharing?

File Sharing on Remote Servers
Effects of Moving or Copying Encrypted Files Between
Locations
Practice: Implementing EFS File Sharing
What Is EFS File Sharing?

EFS file sharing provides:

Users with the ability to allow other users to decrypt
and view files
Another opportunity for data recovery by adding
additional users to an encrypted file
An option to control access to files in addition to shared
folder or NTFS permission

EFS file sharing can only be assigned to users,

not groups
Options for Sharing Encrypted Files on Remote Servers

File sharing
Accomplished through delegation
The remote server must be trusted for delegation in Active
Directory if users are going to store encrypted files on it

Obtain the private keys for users

If roaming profiles are used, the profile is downloaded to the server
and the server impersonates the client while encrypting the file or
folder
The server generates a new profile for the user and
requests or generates a self-signed certificate to encrypt the file or
folder
Effects of Moving or Copying Encrypted Files Between
Locations

A Unencrypted Folder to B Unencrypted File to

Encrypted Folder Encrypted Folder

Move
= Copy
=
File
File Sharing
Sharing on
on Remote
Remote Servers
Servers

Encrypted Folder to Unencrypted Folder

C

Copy
=
Practice: Implementing EFS File Sharing

In this practice you will:

Enable local file sharing in EFS

Enable remote file sharing in EFS
How to enable Local File Sharing

After right clicking and selecting the Advanced Properties of

an encrypted file, a user may be added by selecting the
Details button.
Click Add to add more users
How to enable Remote File Sharing

The files to be encrypted must be available to the user through a network share.
Normal share-level security applies.
The user must have Write or Modify permissions to encrypt or decrypt a file.
The user must have either a local profile on the computer where EFS operations
will occur or a roaming profile. If the user does not have a local profile on the
remote computer or a roaming profile, EFS creates a local profile for the user on
the remote computer.
To encrypt a file, the user must have a valid EFS certificate. The certificate and
keys are stored in the user’s profile on the remote computer or in the user’s
roaming profile if available
To decrypt a file, the user’s profile must contain the private key associated with
the public key used to encrypt the file encryption key (FEK).
EFS must impersonate the user to obtain access to the necessary public or
private key.
 The computer must be a domain member in a domain that uses Kerberos
authentication because impersonation relies on Kerberos authentication and
delegation.
 The computer must be trusted for delegation.
 The user must be logged on with a domain account that can be delegated.
Lab: Implementing Encrypting File System

Exercise: Configuring Group Policy to

Support EFS